squid icon indicating copy to clipboard operation
squid copied to clipboard

Published 20 hours ago verified publisher icon squid-cache

Bug 5283: Cache Manager mgr:info returns 403

Open yadij opened this issue 1 year ago • 2 comments

When handling a request with an http://target/squid-internal... URL (e.g., cache manager pages and MIME icons), Squid needs to determine whether the URL points at the current/receiving Squid port. Requests with such URLs are marked as "internal requests" (their flags.internal becomes true). Internal requests are satisfied by the current instance. Otherwise, Squid forwards the request to its intended target.

When looking for internal requests, Squid requires a port number match and also compares the request target with various addresses, such as IPs determined by http_port configuration and by visible_hostname and hostname_aliases directives:

Until this change, Squid did not treat the "localhost" target specially. Now, requests targeting localhost are considered matching the receiving port if that port was configured with a wildcard IP address (which is the default port address) or a localhost address (e.g., 127.0.0.1). We are adding this temporary special handling because, since commit a4e35bd8ffe51cda83e63faab79bda5a838c7e1a, squidclient defaults to sending http://localhost:3128/squid-internal... URLs when handling mgr:page parameters[^1]. Many Squids forward those URLs and create a forwarding loop with an ERR_ACCESS_DENIED outcome. Until a better solution is implemented, we want those default squidclient mgr:page requests to resume working with (most) Squids running on the same host, even if Squid does not otherwise treat "localhost" as one of its names.

Squid now also treats requests with internal URLs targeting the receiving port's listening IP address as internal requests.

The added checks do not cover all cases where older Squids classified cache_object requests as internal and allowed them; Squid continues to reject some of the same-host mgr:info requests.

[^1]: Prior to that commit, squidclient defaulted to sending cache manager URLs with a cache_object:// scheme that Squid handled as targeting the current instance regardless of the host name in the URL. Internal URLs with an http:// scheme targeting "localhost" would fail back then as well, but squidclient did not send them by default.

yadij avatar Jul 03 '23 15:07 yadij